Fake Gmail Login Page Steals Credentials

A new Gmail phishing attack is tricking users with fake voicemail notifications and stealing their login credentials through a highly sophisticated setup.

The campaign, first identified by Anurag, begins with emails disguised as “New Voice Notification” alerts. These messages appear to come from trusted voicemail services and include a “Listen to Voicemail” button. Clicking it sends victims through a series of compromised websites.

The first stage is especially deceptive, hosted on Microsoft’s legitimate Dynamics marketing platform (assets-eur.mkt.dynamics.com). This use of trusted infrastructure gives the attack credibility and helps it slip past normal email security filters.

Afterward, users are sent to a CAPTCHA page on ‘horkyrown[.]com’, a domain registered in Pakistan. The CAPTCHA creates a false sense of security while being part of the malicious setup. The final step shows a flawless copy of Gmail’s login page, complete with Google branding.

Once users enter their information, the system captures not only emails and passwords but also two-factor authentication codes, backup recovery codes, and even answers to security questions. The data is exfiltrated to servers abroad before victims realize they’ve been compromised.

Anurag observed that “the malicious JavaScript powering the fake login page employs sophisticated obfuscation methods.” The code uses AES encryption to hide its purpose and contains anti-debugging tools that redirect users to the real Google login page if they try to inspect it..

Experts warn this campaign represents “a significant evolution in phishing techniques, combining social engineering with legitimate infrastructure abuse and advanced technical evasion methods.”

Gmail users are advised to be cautious of unexpected voicemail notifications and always verify login prompts through official Google channels. Those who suspect they were targeted should immediately change their passwords and review recent account activity.